Providing secure connections and protecting traffic confidentiality and integrity between mobile stations (MSs) and base stations (BSs) via wireless communications can be challenge for wireless mobile communication technology. Each wireless technology can provide standards, procedures, and protocols to ensure security and authentication of messages between the mobile stations and base stations. Wireless mobile communication standards can include the third generation partnership project (3GPP) long term evolution (LTE) standard and the Institute of Electrical and Electronics Engineers (IEEE) 802.16 standard (e.g., 802.16e, 802.16m), which is commonly known to industry groups as WiMax (Worldwide interoperability for Microwave Access).
Some common security risks include identity exposed, dictionary attack, man-in-the-middle (MitM) attack, and session hijacking. The Extensible Authentication Protocol (EAP) can be used to mitigate security risks by using keys and message authentication. EAP is a mechanism that can define a standard message exchange between devices using an agreed upon authentication protocol.
A typical WiMax wireless network 100, as illustrated in FIG. 1, can include a mobile station (MS) 110, a base station (BS) 122, an Access Service Network (ASN) Gateway (GW) 124, and an Authentication, Authorization and Accounting (AAA) server 132. The base station and the ASN gateway can be included as part of the ASN 120, and the AAA server can be included as part of the Connectivity Service Network (CSN). Communication between networking devices may have different interfaces with various signaling overheads. Communication between the mobile station and the base station (or other ASN device) may use an R1 interface 112. Communication between the base station and the ASN gateway (in the ASN) may use a R6 interface 126. Communication between the ASN gateway (or other ASN device) and the AAA server (or other CSN device) may use a R3 interface 134.
During a successful WiMax EAP authentication between the mobile station (MS) 110 and the AAA server 132, a Pairwise Master Key (PMK) can be generated, which resides on both the mobile station and the AAA server. The PMK may be transmitted to the ASN gateway 124. The ASN gateway may be referred to as an Authenticator. The ASN gateway and mobile station may separately calculate an authentication key (AK). The authentication key may be transferred to the base station. The base station and mobile station may use the authentication key to encrypt and decrypt messages.
After a specified time or event indicating that data integrity has been comprised, the mobile station (MS) 110 and the AAA server 132 may provide EAP re-authentication used to generate a new authentication key. EAP authentication or calculating a new AK can occur each time handover occurs between base stations in the ASN.
Reference will now be made to the exemplary embodiments illustrated, and specific language will be used herein to describe the same. It will nevertheless be understood that no limitation of the scope of the invention is thereby intended.